Instant downloadAuditor-writtenSecure Stripe checkout

ISO 27701 Requirements: The Complete Documentation Checklist

An ISO 27701 requirements checklist saves you from guessing what a privacy auditor will expect. Because ISO 27701 is an extension of ISO 27001, the checklist has two layers: your existing security management system, plus a set of privacy-specific documents and records. This ISO 27701 requirements checklist walks through both so your Privacy Information Management System is complete before assessment.

ISO 27701 requirements checklist toolkit templates
A toolkit that turns this ISO 27701 requirements checklist into ready-to-edit files.

Layer 1: your ISO 27001 documentation

ISO 27701 doesn’t replace ISO 27001’s requirements — it builds on them. So you still need your ISMS scope, information security policy, risk assessment and treatment, Statement of Applicability, and all the mandatory records. See our ISO 27001 required documents checklist for that foundation, and how the two standards fit together.

Layer 2: the privacy-specific documents

On top of the ISMS, ISO 27701 adds documentation to manage personal data, typically including:

  • Privacy (PII protection) policy — your organization’s commitments on personal data.
  • Extended scope — your ISMS scope expanded to cover privacy / the PIMS.
  • Records of PII processing — what data you process, why, and on what basis (comparable to a GDPR record of processing activities).
  • Extended Statement of Applicability — covering the Annex A (controller) and/or Annex B (processor) controls that apply to you.
  • Privacy risk / impact assessments — assessing risks to individuals from your processing.
  • Privacy notices — how you inform individuals about processing.
  • Data subject rights procedures — handling access, correction, deletion, and other requests.
  • Retention and disposal schedules for personal data.
  • PII breach handling — detecting, assessing, and reporting personal-data breaches.
  • Records of consent and, where relevant, data-sharing or transfer agreements.

Important: Which controls and documents apply depends on whether you’re a PII controller, a processor, or both — and on the privacy laws you’re subject to. Confirm against ISO/IEC 27701:2019 and your legal obligations.

Skip the blank page.

The ISO 27701 Toolkit includes every privacy document below — the privacy policy, records of processing, controller/processor controls, and data-subject-request procedures — as editable, auditor-written files mapped to ISO/IEC 27701:2019.

Get the ISO 27701 Toolkit →

Controller vs. processor documentation

The Annex A controls apply to PII controllers and the Annex B controls to PII processors. If you’re both (many organizations are), you document both sets. Understanding your role is the starting point for your whole PIMS.

How to work through your ISO 27701 requirements checklist

Start with your ISO 27001 foundation, because ISO 27701 assumes it: your ISMS scope, risk assessment, and Statement of Applicability all extend to cover privacy. Then add the privacy layer — a description of your role as controller or processor, records of processing activities, privacy impact assessments, and policies for data subject rights, retention, and transfers. Whether you are a PII controller or processor changes which Annex controls apply, so tailor the checklist accordingly. The standard is published by ISO, and building your ISO 27701 requirements checklist on a solid ISO 27001 base is what keeps a joint audit efficient.

Frequently asked questions

Can I document ISO 27701 without ISO 27001?

No — the privacy documentation sits on top of an ISO 27001 ISMS. The two are designed as one integrated system.

Is a record of processing mandatory?

Records of PII processing are central to a PIMS and closely mirror what privacy laws like GDPR expect.

New to the standard? Start with our complete guide to ISO 27701.

Keep the checklist living: privacy obligations change as your processing does, so revisit it whenever you add a data flow, a sub-processor, or a new jurisdiction.

One practical tip: don’t rebuild what ISO 27001 already gives you. Reuse your existing policies and simply extend them with privacy clauses where the checklist calls for it. That reuse is the single biggest time-saver when working through an ISO 27701 requirements checklist.

Shopping Cart