ISO 27701 Checklist

ISO 27701 Certification

ISO 27701:2019 Checklist

Privacy Information Management

1.0 Context

The Organisation

Have you determined and documented your role as PII Controller and/or Processor?

Interested Parties

Have you determined internal and external issues that will impact on your Privacy Information Management System? Including applicable legislation, judicial decisions, organizational context, contractual requirements etc.


Have you included the processing of PII in your ISMS scope?

2.0 Planning

Risk & Opportunities

Have you applied your information security risk assessment process to identify risks associated with confidentiality, integrity, and availability of PII and other information?

Have you ensured the relationship between information security and PII protection is appropriately managed?

Have you considered when assessing the applicability of control objectives from Annex A, in the context of both risks to information security as well as risks related to processing of PII?

Request a Quick Quote

Request an obligation free quote today, tailored specifically to your business’ certification needs and industry.

Get Your ISO Checklist

Training Sessions

Our training course are designed to provide a basic and contextualised introduction to ISO certification as well as provide a practical overview of how it applies to your business.

Contact Us

Speak to one of our helpful team about your certification needs.

3.0 Information Security Policies

Have you considered your commitment to achieving compliance to applicable PII regulations in your Privacy Policies and your contractual agreements?

Have you produced a statement (either in existing policies or as a standalone policy) concerning support or and commitment to achieving compliance with applicable PII protection legislation /regulations and with any contractual obligations?

4.0 Organisation of Information Security

Internal Organisation

Have you designated a point of contact for the customer with regards to their PII?

Have you developed and implemented an organisation-wide governance and privacy program for staff to understand and comply with applicable privacy regulations?

Have you appointed at least one person to be responsible for the maintenance of the governance and privacy program and are they are aware of their responsibilities?

5.0 Human Resource Community

Have you made relevant staff aware of incident reporting and the consequences to themselves, the organisation and the PII principal in the case of a breach of privacy or security?

6.0 Asset Management

Has your information classification system explicitly considered PII, where it is stored and the systems through which it can flow?

Are you documenting any use of removable media and/or devices used for the storage of PII?

Are you disposing of PII on removable media such that it will no longer be accessible?

7.0 Access Control

Do you have documented procedures for registration and de-registration of users who administer or operate systems that process PII?

8.0 Cryptographic Controls

Do you communicate to your customers the circumstances in which cryptography is used to protect PII?

9.0 Physical and Environmental Security

Are you ensuring that when storage space is re-assigned, any previously stored PII is no longer accessible?

Are you restricting the production of hard copy material including PII to the minimum?

10.0 Communications Security

Information Transfer

Have you put procedures in place to ensure that rules regarding PII are enforced throughout the organisation?

Confidentiality or Non-Disclosure Agreements

Do you ensure everyone with access to PII signs and agrees to a non-disclosure agreement or similar?

11.0 Operations Security

Back Up

Do you have a documented policy that includes the requirements for backup, recovery and restoration of PII that is communicated and available to all relevant staff?

Do you have processes in place to identify incompleteness/inaccuracy and to resolve this?

Do you have responsibilities in relation to communicating with customers about PII back up and restoration?

Is there a procedure for and log of PII restoration efforts?

Do you have external obligations with respect to back up and are you compliant?

Are you able to document and demonstrate all of your compliance with external obligations in relation to restoring log content?

Do you have processes in place to ensure PII is restored to a state where integrity can be assured?

Do you have a process to review event logs either using continuous automated monitoring and alerting processes or manually?

For PII Process Only

Do you have a documented set of criteria that defines if, when and how log information can be made available to the customer?

Have you put controls in place to ensure customers can only access their own logs and not that of others?

Protection of Log Information

Have you put controls in place to ensure log information is used only as intended?

Have you put in place a procedure (preferably automatic) to ensure logged information is either deleted or de-identified?

12.0 Systems Acquisition, Development & Maintenance

Securing Application Services n Public Networks

Do you ensure that PII is only transmitted over trusted networks, or where it must be transmitted over untrusted networks it is encrypted?

Secure Systems Engineering Principals

Are your systems and components involved in the processing of PII designed in alignment with local privacy regulations?

Test Data

How do you ensure that PII is not used for testing purposes?

Security in Development & Support Processes

Do your system development and design policies consider PII needs based on local regulations?

Do your policies contribute to privacy by design and privacy by default and consider the following aspects:

Guidance on PII protection through the software development cycle

Privacy and PII protection requirements in the design phase, which can be based on the risk assessment

PII protection checkpoints and miles stones

Required privacy knowledge

Minimize PII processing by default

13.0 Information Security Management

Responsibilities & Procedures

Do you have an independent third party contracted to conduct audits on your information security to ensure it is implemented and operated in accordance with your policies and procedures?

For PII Processors

Do provisions covering the notification of a breach form part of the contract with your customer?

Does the contract specify how this information should be provided?

Are there obligations to notify the PII controller of a breach?

Do you have processes for recording the following details of a breach?

  • Description
  • Time Period
  • Consequence
  • Who reported it
  • To whom it was reported
  • How it was resolved
  • Description of the loss/unavailability of PII

Does the record include a description of the PII comprised?

Do you have a process to record all notifications to the customer and/or regulatory agencies

14.0 Compliance

Identification of Applicable Legislation & Contractual Requirements

Have you identified any legal consequences that can arise from noncompliance with privacy regulations related to processing of PII

Protection of Records

Do you retain historical copies of your privacy policies and associated procedures for the time specified by your local privacy regulations?

Independent Review of Information Security

Do you have an independent third party contracted to conduct audits on your information security to ensure it is implemented and operated in accordance with your policies and procedures?

Technical Compliance Review

Have you implemented methods of reviewing tools and components related to processing PII?

15.0 Supplier Relationships

Addressing Security Within Supplier Agreements

Do you specify in supplier agreements whether PII is processed, and the minimum protection measures the supplier needs to meet?

ANNEX – Additional Information

7.2 Conditions for collecting and processing
Documented legality & purposes for data collection.
Documented processes for obtaining consent from the PII.
Roles and responsibilities of any joint PII controller(s).

7.3 Obligations to PII Principals
Documented legal, regulatory, and business obligations to PII principals Method by which the PII Principal can access, correct
and/or erase data and modify or withdraw consent or object to processing, and have changes communicated to any third parties.
Ability to provide a copy of processed data to the PII Principal on request.
Documented policies and procedures on handling legitimate PII Principal requests.

7.4 Privacy by design and privacy by default
Limit data collection and processing to only what information is relevant and necessary. Documented data minimisation objectives and mechanisms to meet objectives. Delete or de-identify PII upon completion of processing and. Only retain PII for as long as necessary. Documented policies and procedures for secure disposal of PII

7.5 PII sharing, transfer and disclosure
Documented justification for the transfer of PII between jurisdictions as well as which countries and international organisations PII may be allowed to be transferred. Record transfers of PII between third parties
8.2 Conditions for collecting and processing
The contract to process PII addresses your role in providing assistance with the customer’s obligations
Ensure PII are only processed for the purposes expressed by the customer and inform the customer if a processing instruction infringes any applicable legislation and/or regulation. Document and maintain records in support of demonstrating compliance with the obligations as specified in the contract

8.3 Obligations to PII Principals
Provide the customer with the means to comply with obligations related to PII principals. Provide PII Principals with the appropriate information
relating to processing of their PII

8.4 Privacy by design and privacy by default
Temporary files created as a result of the processing of PII are disposed of securely Documented policy on secure return, transfer, and disposal of PII available to the customer controls in place for the transmission of PII to ensure the information reaches the intended destination

8.5 PII sharing, transfer and disclosure
Obligation to inform the customer of the justification for any intended transfers between jurisdictions, giving the customer the option to object. Maintain records of what PII has been disclosed to third parties as well as to whom and when. Obligation to notify the customer of any legally binding requests for PII to be disclose. Reject non-legally binding requests for disclosure of PII or consult the customer before disclosing PII
Disclose any use of subcontractors to the customer and engage with subcontractors in accordance with the agreement with the customer, and inform the customer of intended changes regarding the use of subcontractors giving the customer the option to object.

Have our own Checklist


What is Privacy Information Management Systems?

ISO 27701 Privacy Information Management Systems is an extension of ISO 27001 designed to help organisations meet these everchanging legal requirements surrounding data collection and privacy.

iso 27701

Why do I need ISO 27701 Privacy Certification?

Certification to ISO 27701 provides you with an independent endorsement that your Privacy Information Management System meets international standards, giving your stakeholders confidence that you take privacy seriously.

iso 27701 certification

What are the benefits of Privacy Certification?

ISO 27701 Privacy Certification provides your organisation with an independent endorsement to stakeholders that your organisation takes privacy seriously and has adequate systems in place to manage sensitive information.

How can I get certified

How can I get certified?

Getting ISO certification is a lot easier than you might think, We take you through the three step audit process from your initial enquiry to the final certification decision.

ISO 27701 Certification Throughout Australia

Compass Assurance Services have offices and staff located throughout Australia including Brisbane, Melbourne, Perth and Sydney, to help those all over Australia receive their iso27701 certification.

Want to speak to someone?

Contact Us

Contact us and speak to one of our helpful team about your ISO certification needs. We can offer certification to smaller, niche standards and to other non-accredited (non ISO) standards as well.

Request a Quote

Request an obligation free quote today, tailored specifically to your business’ certification needs and industry.

Our Values

Our Policies