Why extending ISMS for Privacy?
Most organisations have already realised that information security and privacy are not separate worlds.
However, it is still common to see companies with a relatively mature ISMS and, at the same time, with scattered privacy practices that are poorly documented and difficult to demonstrate to customers, partners, auditors and authorities.
This is precisely where ISO/IEC 27701 comes into play: the standard defines requirements and guidance for a Privacy Information Management System (PIMS) and is designed to help organisations that process personal data to structure privacy governance in a systematic way, with accountability, risk management and continuous improvement.
The current edition is ISO/IEC 27701:2025, and ISO itself states that it aligns with systems already based on ISO/IEC 27001, also supporting the demonstration of compliance with privacy regulations such as the GDPR.
There is also an important point that many teams are unaware of
For years, ISO/IEC 27701:2019 was understood as an extension of ISO/IEC 27001 and ISO/IEC 27002 for privacy management. However, ISO has withdrawn that edition and published ISO/IEC 27701:2025 as an independent management system standard.
In practice, this does not eliminate the strong link between security and privacy; on the contrary, it reinforces the idea that privacy should be managed with the same discipline, structure and evidence as security.
In other words, it still makes perfect sense to talk about ‘extending the ISMS to privacy,’ because this is how many organisations are able to implement a PIMS efficiently, reusing existing governance, processes, risk methodology, internal audits, document management and improvement mechanisms.
But what does it mean in practice
to extend an ISMS to privacy? It means no longer looking only at the protection of information as a corporate asset and also looking at the impact of processing on people.
A classic ISMS is strongly oriented towards confidentiality, integrity, and availability.
A PIMS, without abandoning this basis, adds essential questions: what personal data are we processing, for what purpose, on what basis, and for how long?
Who decides the means and purposes of the processing and who processes data on behalf of whom?
How do we ensure transparency, minimisation, adequate retention, access control, response to rights and correct selection of suppliers?
The logic is no longer just ‘protecting data’ but ‘governing the processing of personal data in a demonstrable and consistent manner’. The European Commission points out that the GDPR is based on principles such as lawfulness, transparency, purpose limitation, minimisation and retention, while ISO positions 27701 as the appropriate management system to operationalise this discipline.
That is why ISO 27701 should not be treated as a legal annex to ISMS
Nor as a simple collection of privacy policies.
The value of the standard lies in integrating privacy into the existing management architecture.
When an organisation already works with organisational context, stakeholders, leadership, objectives, risk assessment, competencies, operation, document control, internal audit and management review, it already has half of the discipline necessary for a robust PIMS.
The next step is to adapt this structure to the world of personal data: redefine scope, clarify the roles of controller and processor, map processing activities, align policies, review controls, strengthen third-party management, document evidence, and introduce metrics that prove not only that the organisation ‘has good intentions,’ but that it can demonstrate compliance on an ongoing basis.
One of the biggest mistakes in privacy projects
is to assume that the issue belongs solely to the DPO or the legal department.
Privacy is cross-cutting.
Top management must define direction, resources, priorities, and risk appetite.
The CISO or security officer contributes to control architecture, risk management, incidents, access, records, monitoring, and supplier security.
The DPO, where applicable, often acts as the central point of contact for privacy matters, helping to interpret requirements, monitor the programme, and ensure consistency.
The IT team implements technical controls; purchasing and procurement evaluate suppliers; HR handles employment data; marketing and sales deal with consents, preferences, transparency, and campaigns; and process owners know the real purpose of the processing.
This distribution of responsibilities is consistent with the distinction between controller and processor explained by the European Commission and with the need for accountability documented in the GDPR framework.
When moving from an ISMS to a PIMS
Organisations need to review their controls through a new lens.
In security, a control may seem adequate because it restricts access or encrypts information.
In privacy, this is necessary but not sufficient.
It is also important to ensure that the data collected is adequate for the purpose, that there is an appropriate basis for processing, that the information provided to data subjects is consistent with what actually happens, that retention periods are defined and enforced, that systems allow for responding to requests for access, erasure or rectification where applicable, and that new initiatives incorporate privacy by design.
The European Commission is clear in stating that data protection ‘by design and by default’ must be considered from the early stages of processing.
A mature PIMS transforms this principle into a process, design criterion and auditable evidence.
In operational terms
It is worth considering ISO 27701 controls throughout the personal data lifecycle.
In collection
The organisation needs to know exactly what data is coming in, where it comes from, for what purpose, and in which systems it is recorded.
In use
It must ensure rules of access, segregation of duties, data quality, user training, and consistency between operational practice and reported information.
In sharing
It must control internal transfers, third parties, subcontractors, and contractual bases.
During retention
It must apply clear timetables and mechanisms for deletion or anonymisation.
When responding to the data subject
It must know how to locate data, assess requests, meet deadlines and keep a record of actions.
When managing incidents
It must coordinate technical response, assessment of the impact on people, escalation and documentation. An organisation that treats each of these phases as part of its management system will be much better prepared to demonstrate real control.
Third-party management deserves a separate chapter
Many privacy weaknesses do not arise within the company, but in the ecosystems of software, cloud, outsourcing, payroll, marketing automation, technical support or analytics.
The European Commission points out that a processor may only process data on behalf of an organisation under a contract or other appropriate legal act, and that the controller must choose entities that offer sufficient guarantees of appropriate technical and organisational measures.
This means that a serious PIMS is not limited to signing standard clauses and filing PDFs.
It requires due diligence, evaluation criteria, contract review, subcontracting analysis, oversight mechanisms, alignment with incident response, and traceability of decisions.
If your ISMS already includes vendor risk management, then you have an excellent basis for extending that process to specific privacy requirements.
Another critical element is evidence
In many projects, the organisation has meetings, decisions and even good practices, but cannot prove anything consistently.
And without proof, there is no robust accountability.
The European Commission emphasises that the GDPR requires not only compliance, but the ability to demonstrate it.
This is where PIMS adds enormous value: it forces you to transform intentions into records, policies, criteria, approvals, reports, training evidence, responsibility matrices, inventories, processing records, assessments, monitoring results and corrective actions.
When a customer asks how personal data is managed; when an auditor wants to understand how a processor is controlled; or when management wants to know if retention periods are being met, the answer should not depend on one person’s memory.
There must be objective, up-to-date and accessible evidence.
What kind of evidence is typically part of a well-structured PIMS?
Without turning the programme into a bureaucratic exercise, there are a number of artefacts that tend to be essential:
- definition of the scope of the PIMS;
- privacy policy and related policies;
- mapping of controller/processor roles;
- inventory of processing activities;
- criteria for privacy by design;
- record of risk assessments and, where applicable, more in-depth assessments;
- processes for managing data subject requests;
- retention and disposal criteria;
- third-party management mechanisms;
- training plans and records;
- access control logs and evidence;
- incident records;
- monitoring results;
- internal audits;
- management review;
- and corrective actions with follow-up.
None of this is unfamiliar to those who already operate an ISMS. The difference lies in making the scope of personal data explicit and ensuring that privacy language is incorporated into the system.
For many organisations, the most efficient way to implement ISO 27701 is to follow a phased roadmap
First, clarify the scope
Which units, services, geographies, systems and processing categories will be included in the PIMS?
Then, perform a gap assessment
Between the existing ISMS, the privacy practices already in place and the requirements of ISO 27701.
Next, review governance
Roles, responsibilities, reporting, committees, and decision criteria.
Only then does it make sense to deepen the layer of control
Adjusting policies, inventories, third parties, development, retention, data subject rights, and incident management.
In parallel, should one work on
evidence and indicators so that the programme can be monitored.
Finally, the typical stages of management systems come into play:
Training, internal auditing, management review, and continuous improvement. This phased approach reduces friction and avoids the mistake of trying to ‘glue’ privacy to the ISMS at the last minute.
It is also worth debunking some myths
The first myth
Is to think that ISO 27701 replaces the legal analysis of the GDPR.
It does not. The standard helps to structure governance, responsibilities, controls and evidence; it does not eliminate the need to interpret legal requirements in the specific context of the organisation.
The second myth
is to believe that privacy is just documentation.
It is not. Without operational controls, architecture, mapped data, third-party management and responsiveness, documentation becomes decorative.
The third myth
Is to assume that a mature ISMS automatically solves privacy.
It helps a lot, but it does not, on its own, cover essential aspects such as processing roles, information to the data subject, minimisation, retention, by design and accountability.
The strength of ISO 27701 lies precisely in filling this gap in a systematic way.
From a strategic point of view: Extending the ISMS to privacy brings very concrete benefits.
Firstly
It creates a common language between security, privacy, IT, legal and business.
Secondly
It reduces redundancies because it leverages existing structures rather than creating a “parallel programme”.
Thirdly
It improves the ability to respond to customer questionnaires, supplier assessments, due diligence and audits.
Fourthly
It increases trust: partners and regulators tend to value organisations that can demonstrate method, control and continuous improvement.
And finally
It helps to transform privacy into an operational discipline and not just a reactive issue, dealt with after the problem arises.
ISO itself highlights benefits such as enhanced privacy protection, PII risk management, trust building and alignment with existing ISO/IEC 27001 systems.
For CISOs, DPOs and IT teams, the core message is simple
ISO 27701 should not be seen as yet another layer of bureaucracy, but as a natural step for organisations that already take information security seriously and need to demonstrate maturity in personal data management.
If your organisation already has an ISMS, then you already have a significant part of the foundation in place.
What is missing is making privacy explicit, governed, evident and integrated into day-to-day controls.
That is what a well-designed PIMS does.
Next steps
Want to accelerate this journey?
Download the ISO 27701 checklist and use it to map gaps, assign responsibilities, and prioritise integration between ISO 27001 and GDPR in your compliance programme.
Suggested internal links: